COGR Session: Introduction to The NSF SECURE Center and Overview of Tools/Resources
 
Moderator: Kris West
Panelists:
 

• Deepika Bhatia, Associate Vice President, Research Compliance and Regulatory Affairs, Emory University, and Director Southeast Region (NSF SECURE Center)

• Amanda Humphrey, Chief Research Operations Officer, Northeastern University, and Co-Director, Northeast Region (NSF SECURE Center)

• Lisa Nichols, Executive Director of Research Security, University of Notre Dame, and Deputy Director (NSF SECURE Center)

• Lori Schultz, Assistant Vice President for Research, Colorado State University, and Deputy Director (NSF SECURE Center)

 
The panelists presented a detailed overview of the National Science Foundation (NSF) SECURE Center. The group discussed the background as a collaborative national initiative funded by the NSF to enhance research security across the U.S. research ecosystem, with particular duties as outlined by the CHIPS and Science Act and its mission to empower the research community to make security-informed decisions regarding research security concerns.  The panelists discussed how the NSF SECURE Center is achieving this mission by creating a shared virtual environment (SVE), disseminating best practices, developing frameworks for risk assessment, providing training, and facilitating information-sharing to address security challenges without stifling collaboration.  The NSF SECURE Center is engaging the broad community of individuals (including research security officers, researchers, and administrators) and entities (including institutions of higher education, non-profit research institutions, and small- and medium-size businesses) for input and feedback at all stages of its co-creation process.
 
The panelists then covered the Year One achievements of creating the NSF SECURE Center structure, establishing significant stakeholder engagement, initiating the development of the SVE, launching the Research Security Consolidated Training Module (CTM) and establishing the weekly Research Security Briefing.  In addition, product development of various toolkits, travel resources, terminology guides, and a risk assessment framework were initiated.  Year Two began with the launch of user-testing of the SVE to include increased resources, product development launch of toolkits and guides, refinement of risk assessment tools, and ongoing co-creation of solutions based on stakeholder needs.  Discovery activities continue with various stakeholder groups to understand hurdles and refine the resources needed to address security concerns.  The panelists highlighted the NSF SECURE Center communication and outreach opportunities, visible on the website, and encouraged participation.
 
COGR Session: Complying with DOJ’s Bulk Sensitive Data Rule
 
Moderator: Krystal Toups, COGR
Presenter: David Peloquin, Partner at Ropes & Gray
 
Federal agencies continue to issue rules and requirements regarding the sharing of sensitive data, including the Department of Justice (DOJ) Final Rule on bulk sensitive data regulations, carrying out Executive Order (E.O.) 14117, “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons,” which became effective in April 8, 2025, and the related NIH Policy on Enhancing Security Measures for Human Biospecimens (NOT-DO-25-160), effective October 24, 2025. Peloquin presented a current understanding of the DOJ Final Rule requirements, the intersection with agency-specific regulations, and their application in academic research environments.
 
The DOJ Final Rule on bulk sensitive data regulations are aimed at preventing individuals or entities, which are defined as, “covered persons” or a “country of concern” located in, or affiliated with, China (including Hong Kong and Macau), Russia, Venezuela, Iran, Cuba, and North Korea from accessing certain bulk sensitive personal data (e.g., personal health and human genomic data) relating to individuals in the U.S. or “U.S. persons”, including:
 

• Any U.S. citizen, national or lawful permanent resident;

• Any individual admitted to the U.S. as a refugee or granted asylum;

• Any person located in the U.S. regardless of citizenship; or

• Any entity organized solely under the laws of the U.S. or any jurisdiction within the U.S.
   

The DOJ Final Rule (“Final Rule”) is triggered by transactions involving a “US person” and a “country of concern” or “covered person.” The transactions must reach a certain threshold to be subject to the Rule. The regulations define six categories of U.S. sensitive personal data with defined thresholds:
 

• Human 'omic data collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons.

• Biometric identifiers collected about or maintained on more than 1,000 U.S. persons.

• Precise geolocation data collected about or maintained on more than 1,000 U.S. persons.

• Personal health data collected about or maintained on more than 10,000 U.S. persons.

• Personal financial data collected about or maintained on more than 10,000 U.S. persons.

• Covered personal identifiers collected about or maintained on more than 100,000 U.S. persons.
   

These thresholds are measured for the preceding twelve months either through a single data transaction or aggregated transactions involving the same covered person. The regulation also applies to U.S. government-related data defined as (i) any precise geolocation data relating to a list of over 700 geofenced areas near government facilities, and (ii) sensitive personal data that is marketed as linkable to employees, contractors, or officials of the United States government. Peloquin noted that the Final Rule applies to U.S. sensitive personal data or U.S. government-related data even if it has been de-identified, anonymized, or encrypted.
 
An interesting insight is that “Covered Person” is also defined as an entity that is 50% or more owned, directly or indirectly, individually or in aggregate, by one or more countries of concern, or organized or chartered under the laws of, or has its principal place of business in a country of concern, or employees or contractors of such entities or resident in the territorial jurisdiction. Within this complex web, it is important to note that this definition would include U.S. and foreign subsidiaries with 50% or more ownership originating from a “country of concern”. “Covered person” also includes any person, wherever located, as determined by the Attorney General to a) have been or likely to become owned, controlled, subject to the jurisdiction or the direction of a “country of concern” or “covered person”, b) acted on behalf of a “country of concern” or “covered person”, or c) knowingly caused or directed a violation of the Final Rule.
 
The Final Rule prohibits U.S. persons from knowingly engaging in a covered data transaction involving data brokerage with a country of concern or covered person, where data brokerage is defined as the sale of data, licensing of access to data, or similar commercial transactions (those involving “payment or other valuable consideration”, which could potentially include a license to IP or structured data set, where the recipient did not collect or process the data directly from the individuals linked or linkable to the data. Peloquin further highlighted that transactions involving access by a “foreign person” (not a U.S. person) who is not a “covered person” must contractually restrict the foreign person from “on-ward streaming” the data, meaning prohibiting the foreign person from subsequently engaging in a covered data transaction involving data brokerage of the same data with a country of concern or foreign person.
 
Exchange of data for research purposes that does not involve money or “other valuable consideration” would not be considered commercial transactions. Other exemptions most relevant to higher education include data that is public at the time of the transaction and transactions that are conducted pursuant to U.S. federal government department and agency grants, contracts, or other agreements. Data transfers resulting from research, as part of licensing activities, will need additional scrutiny.
 
U.S. persons are prohibited from knowingly engaging in any covered data transaction with a “country of concern” or “covered person” that involves bulk U.S. sensitive personal data consisting of bulk human ‘omic data, or human biospecimens from which it could be derived. An exception is human biospecimens intended solely for use in diagnosing, treating, or preventing a disease or medical condition.
 
Peloquin noted that federal agencies can create their own policies which “sit aside” the Final Rule. For example,  the NIH policy on enhancing security measures for human biospecimens prohibits sharing of all biospecimens, including new cell lines unless commercially available, of U.S. persons (regardless of identifiability) which are collected, obtained, stored, used, or distributed using ongoing or new NIH funds with institutions or parties in “countries of concern” with the exception of three limited circumstances. These include: transactions authorized by federal law or international agreements or necessary to comply with law; in the rare circumstance where the facility or personnel in a country of concern possess needed capabilities or expertise not available elsewhere and use cannot be delayed; or at the request of the individual from whom the biospecimen was collected for the purposes of diagnosis, prevention, or treatment of that individual. Any such distribution must follow applicable export administration requirements as well. Documentation must be obtained if biospecimens are shared or distributed under these circumstances and provided to the NIH upon request.
 
Peloquin provided some case examples for licensing transactions which affect higher education institutions.  Additionally, the research community is reminded to use data transfer and use agreements when sharing data with any party and material transfer agreements as appropriate, including language prohibiting further, “onward” transmission of the shared data. Foreign ownership consideration is also applicable when submitting data to a public repository.
 
COGR Session: Unboxing Gifts, Monetary Donations, and Common Form Other Support
 
Moderator: Kris West, COGR
Presenters:
Megan Dietrich, Director, Client Advocacy and Education, Stanford University
Lindsey Spangler, Associate Dean, Research Integrity, Duke University
Derek Jones, Associate Director, Research Operations and IT Integrations, Duke University
 
In alignment with National Security Presidential Memorandum 33 (NSPM-33), many federal research funding agencies issued updated guidance on the disclosure of Current and Pending (Other) Support.  Typically, this guidance noted that researchers did not need to disclose “unrestricted gifts” as a form of Current and Pending (Other) Support.  However, following recommendations from a report issued by the Office of the Inspector General, National Institutes of Health (NIH) guidance now indicates that researchers must disclose “Monetary donations that support an investigator's research activities, that are given with an expectation.” The agency has also provided additional scenarios as examples when monetary donations need to be disclosed.  In addition, recent Department of Energy (DOE) Notice of Funding Opportunities (NOFOs) have included requirements that researchers disclose all gifts, with or without expectations.
As a result of these evolving requirements, recipient institutions are working to ensure that researchers and research administrators have access to sufficient data to make these disclosures, and to implement policies, processes, training, and communications to support the requirements.
 
Duke University has implemented a centralized system for Current and Pending (Other) Support reporting that integrates data from multiple sources including sponsored awards, proposed projects, in-kind resources, and outside interest disclosures, that allows researchers and research administrators to build researchers’ Current and Pending (Other) Support documentation.  Duke is working on including “monetary donations” as one of the data sources integrated within the tool.  The system also includes functionality to generate an XML file of the data that can be uploaded to SciENcv for reporting to federal agencies.
 
Stanford University has adopted a similar model, pulling together data from a variety of institutional sources into a single reporting tool.  While Stanford’s system does not generate XML for submission to SciENcv, it does provide researchers and administrators with the foundational information needed to complete Current and Pending (Other) Support.  In addition, Stanford has implemented two required training modules on disclosure, one of which focuses entirely on the process of completing disclosures (e.g., Other Support) using various institutional data sources.
 
Even with these advancements, challenges remain.  For example, questions have arisen concerning the correct means of reporting monetary donations to researchers that are designated for multiple purposes (e.g., a faculty member’s research, teaching, and service work).  In addition, questions remain regarding the appropriate mechanism for reporting “monetary donation” information to federal agencies, as the current SciENcv format does not readily support inclusion of this data.
 
COGR Session: Forthcoming Federal Research Security Program Requirements and FDP Cybersecurity Guidelines Demonstration
 
Moderator: Jennifer Ponting, Associate Vice President for Research Administration, University of Chicago.
Panelists: Jarret Cummings, Senior Advisor for Policy and Government Relations, EDUCAUSE, and Lisa Nichols, Executive Director of Research Security, University of Notre Dame
 
Cybersecurity is one of the “pillars” of research security programs (RSPs) that will be required by federal research funding agencies when they roll out RSP requirements in the near future to comply with (National Security Presidential Memorandum-33 (NSPM-33).  This session provided an update on the collaborative initiative led by the Federal Demonstration Partnership (FDP) and EDUCAUSE to develop practical research cybersecurity approaches tailored to the needs of federally funded research institutions. An overview of the project was provided, which brought together working groups of university, federal agency, and association representatives to identify emerging cybersecurity risks to fundamental research and to create “effective practices,” rather than prescriptive guidelines, that institutions can adapt within their research security programs. The effort included multiple stages of drafting and review, with input from dozens of universities, federal partners, and the broader research community before producing a final set of recommended practices.
The resulting framework will encourage institutions to develop a research cybersecurity plan outlining stakeholder roles, approaches to risk assessment and mitigation, and strategies for integrating the NSF Critical Controls Set, which includes measures such as phishing-resistant multi-factor authentication, endpoint protection, data backups, infrastructure inventories, and incident response planning. Importantly, the model will emphasize institutional discretion, allowing universities to determine how best to implement or adapt these controls within their research environments while documenting their rationale. The panelists noted the model framework is currently undergoing further review by federal representatives.